ALC Mitigation Plan for Product Holes

Tuesday, August 22, 2017 @ 04:08 PM gHale

Automated Logic Corporation (ALC) is offering a mitigation plan to help ward off multiple vulnerabilities in its WebCTRL and i-VU, SiteScan, according to a report with ICS-CERT.

The vulnerabilities include an unquoted search path or element; improper limitation of a pathname to a restricted directory (better known as a path traversal, and an unrestricted upload of file with dangerous type.

Successful exploitation of these vulnerabilities, discovered by Gjoko Krstic from Zero Science Lab, could allow an authenticated user to elevate his or her privileges to execute arbitrary code on the system.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

An unquoted search path vulnerability may allow a non-privileged local attacker to change files in the installation directory and execute arbitrary code with elevated privileges.

CVE-2017-9644 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

In addition, an authenticated attacker may be able to overwrite files used to execute code. This vulnerability does not affect version 6.5 of the software.

CVE-2017-9640 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

Also, an authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code.

CVE-2017-9650 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.

The products see use mainly in the commercial facilities sector. They also see action on a global basis.

Kennesaw, Georgia-based ALC provides support for WebCTRL, i-Vu, SiteScan Web versions 6.0 and greater. Those users using prior versions, including 5.5 and 5.2, must upgrade to supported versions in order to install these mitigation patches.